Chapter 9:
Protecting User Accounts and Using Parental Controls
135
Handling User Account Control
Applications written for Windows Vista use User Account Control to reduce the attack surface
of the operating system. They do this by reducing the basic privileges granted to applications
and by helping to prevent unauthorized applications from running without the user’s con-
sent. User Account Control makes it harder for malicious software to take over a computer by
ensuring that existing security measures are not unintentionally disabled by standard users
running in administrator mode. By helping to ensure that users do not accidentally change
settings, User Account Control reduces the cost of managing computers and provides a more
consistent environment that should also make troubleshooting easier. User Account Control
also helps to control access to sensitive files and data by securing the Documents folder so
that other users cannot change, read, or delete files created by other users of the same
computer.
Applications that have been certified as compliant with the new Windows Vista architecture
will have the Windows Vista–Compliant logo. Although the logo indicates that the program
has been written to take advantage of User Account Control, it doesn’t mean that the program
will run only in standard user mode. Compliant applications run in the mode appropriate for
the functions that they perform and elevate privileges to perform tasks as necessary. Admin-
istrators can modify the way User Account Control works as required.
Understanding and Setting Run Levels
In Windows Vista, an application can indicate the specific permission level it needs to func-
tion so that it will perform only authorized functions, making the code less vulnerable to
exploits by malicious users or malicious software. A new feature in Windows Vista, called
Windows Vista Trust Manager, can use this information prior to installing an application to
determine whether to allow the application to be installed. If the application’s required per-
missions are determined to pose no risk, the application can be installed without generating
security alerts. However, if the application’s installer writes to sensitive areas or performs
tasks that could potentially harm the computer, Windows Vista displays security alerts
describing the potential dangers of installing the application and asking for confirmation
before proceeding.
Application Manifests and Run Levels are used to help track required privileges. Application
Manifests allow administrators to define the application’s desired security credentials and to
specify when to prompt users for administrator authorization to elevate privileges. If privileges
other than those for standard users are required, the manifest should contain runLevel
designations. These runLevel designations identify the specific tasks that the application
needs to elevate with an “administrator” token.
C09622841.fm Page 135 Wednesday, May 17, 2006 9:26 AM